cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1361
Views
0
Helpful
4
Replies

registerinh IP Phone by NAT

luis_Borja
Level 1
Level 1

is this posible???

 

a customer wants to register an IP communicator, but without VPN, and in their infraestructure there isn´t an express way.

their firewall is a third-party, in wireshark appears that there is comuniction between computer an CUCM, but ip communicator doesn´t registering.

 

a co-worker says to me, that this is not posible, because the voice payload contains aditional data that is not handled by NAT.

 

 

regards

2 Accepted Solutions

Accepted Solutions

Aaron Harrison
VIP Alumni
VIP Alumni

Hi

The firewall would have to be NAT-aware for skinny/SIP, but also for things like fiddling the CUCM IP addresses in the phone config files that CIPC downloads.

I'd say it wouldn't work.

Also it would be massively insecure - authentication of phones to CUCM by default is simply by MAC or (in the case of CIPC) a user-configurable device ID (that might be MAC, or username, or '1'). Given that the signalling is plaintext it would be very insecure, a remote hacker could simply keep registering with random device names against your SCCP service on CUCM until they get lucky.

I would tell your client not to do it, and that it's not possible anyway. 

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

View solution in original post

According to the release notes, CIPC works with VPN solutions that provide a virtual interface to bind to. http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cipc/8_5/english/release_notes/CIPC_Release_Notes_8_6/CIPC_Release_Notes_8_6_chapter_00.html#CIPC_RF_S6A8B454_00

No VPN solution = no VPN interface. That's the only supported method for remote access.

Beyond that it's simply knowing a little about how CIPC works - it receives config info from CUCM with IP addresses in it, those IPs will be internal IPs that are not routable over the Internet. It's just extremely bad practice, poor security to attempt to make CUCM available on the Internet directly. 

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

View solution in original post

4 Replies 4

Aaron Harrison
VIP Alumni
VIP Alumni

Hi

The firewall would have to be NAT-aware for skinny/SIP, but also for things like fiddling the CUCM IP addresses in the phone config files that CIPC downloads.

I'd say it wouldn't work.

Also it would be massively insecure - authentication of phones to CUCM by default is simply by MAC or (in the case of CIPC) a user-configurable device ID (that might be MAC, or username, or '1'). Given that the signalling is plaintext it would be very insecure, a remote hacker could simply keep registering with random device names against your SCCP service on CUCM until they get lucky.

I would tell your client not to do it, and that it's not possible anyway. 

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

thank you so much Aaron,

 

another question, do you have any documentation were there explain why this isn´t posible, because my client is so much quiestionable about this.

 

thanks so much again.

According to the release notes, CIPC works with VPN solutions that provide a virtual interface to bind to. http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cipc/8_5/english/release_notes/CIPC_Release_Notes_8_6/CIPC_Release_Notes_8_6_chapter_00.html#CIPC_RF_S6A8B454_00

No VPN solution = no VPN interface. That's the only supported method for remote access.

Beyond that it's simply knowing a little about how CIPC works - it receives config info from CUCM with IP addresses in it, those IPs will be internal IPs that are not routable over the Internet. It's just extremely bad practice, poor security to attempt to make CUCM available on the Internet directly. 

Aaron

Aaron Please remember to rate helpful posts to identify useful responses, and mark 'Answered' if appropriate!

thank you Aaron, this was help me.

 

regards